“Remember Me On This Computer” kind of feature for Seaside?
Locked
“Remember Me On This Computer” kind of feature for Seaside?
 
|
Hi guys,
Quick question, has anyone ever implemented a kind of “Remember Me On This Computer” feature in Seaside? If so, any guidelines or code share? :) _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Remember Me On This Computer kind of feature for Seaside?
|
|
Hi Mariano,
>Quick question, has anyone ever implemented a kind of Remember Me On This >Computer feature in Seaside? If so, any guidelines or code share? :) >Thanks in advance, I have. It has been a while, so I don't remember the details but it was simple. Create a cookie at a point in time when you have the info you want to remember, with whatever info you want to remember. Read the cookie when things start. No cookie - nothing to remember, cookie - use whatever you wanted to remember. Lou ----------------------------------------------------------- Louis LaBrunda Keystone Software Corp. SkypeMe callto://PhotonDemon mailto:[hidden email] http://www.Keystone-Software.com _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: “Remember Me On This Computer” kind of feature for Seaside?
|
|
In reply to this post by Mariano Martinez Peck
> On 21 Sep 2015, at 15:53, Mariano Martinez Peck <[hidden email]> wrote: > > Hi guys, > > Quick question, has anyone ever implemented a kind of “Remember Me On This Computer” feature in Seaside? If so, any guidelines or code share? :) I guess it is normally implemented by storing a cookie, when you see the cookie back, you allow a login without further questions. That is a dangerous feature ;-) I have it implemented, using tokens limited to a week or two, and with cookies limited to the current browser session (i.e. they are not persisted). I needed this to recover automagically from expired sessions. But then you need to implement annotated URLs too (at least some else you end up at the homepage all the time). Most browsers remember and autofill username/password fields, it works for my Seaside apps. That should be enough and is much safer. HTH, Sven > Thanks in advance, > > -- > Mariano > http://marianopeck.wordpress.com > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: “Remember Me On This Computer” kind of feature for Seaside?
|
|
On Mon, Sep 21, 2015 at 11:59 AM, Sven Van Caekenberghe <[hidden email]> wrote:
Hi Sven, but where are the tokes persisted in client side? In my case, using the plain strategy of cookies is too insecure. I was taking a look to this articule which seems much better: But don't know how hard would be to implement that in Pharo/Seaside. Thoughts?
_______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: “Remember Me On This Computer” kind of feature for Seaside?
|
|
> On 23 Sep 2015, at 19:45, Mariano Martinez Peck <[hidden email]> wrote: > > > > On Mon, Sep 21, 2015 at 11:59 AM, Sven Van Caekenberghe <[hidden email]> wrote: > > > On 21 Sep 2015, at 15:53, Mariano Martinez Peck <[hidden email]> wrote: > > > > Hi guys, > > > > Quick question, has anyone ever implemented a kind of “Remember Me On This Computer” feature in Seaside? If so, any guidelines or code share? :) > > I guess it is normally implemented by storing a cookie, when you see the cookie back, you allow a login without further questions. That is a dangerous feature ;-) > > I have it implemented, using tokens limited to a week or two, and with cookies limited to the current browser session (i.e. they are not persisted). I needed this to recover automagically from expired sessions. But then you need to implement annotated URLs too (at least some else you end up at the homepage all the time). > > Hi Sven, but where are the tokes persisted in client side? > > In my case, using the plain strategy of cookies is too insecure. I was taking a look to this articule which seems much better: > https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2 > > But don't know how hard would be to implement that in Pharo/Seaside. > > Thoughts? Well, I do what is called 'Persistent Authentication Tokens' in the article. The timing attack is really very far fetched in my opinion (remember it is a networked web app whose response time is variable anyway). DOS protection is hard anyway. But I don't see why their 'Proactively Secure Long-Term User Authentication' would be technically harder to implement. It is all pretty easy, using a cookie. > Most browsers remember and autofill username/password fields, it works for my Seaside apps. That should be enough and is much safer. > > HTH, > > Sven > > > Thanks in advance, > > > > -- > > Mariano > > http://marianopeck.wordpress.com > > _______________________________________________ > > seaside mailing list > > [hidden email] > > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > > > > -- > Mariano > http://marianopeck.wordpress.com > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: “Remember Me On This Computer” kind of feature for Seaside?
|
|
On Wed, Sep 23, 2015 at 3:08 PM, Sven Van Caekenberghe <[hidden email]> wrote:
Indeed, I was planning to do that as well. I guess its not that easy for you share the code as an example, is it? Like one of your always super cool posts :)
Yeah, the timing attack looked like a bit too much for me as well.
yes, it doesn't look more complciated
_______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
«
Return to Seaside General
|
1 view|%1 views
| Free forum by Nabble | Edit this page |